Biconomy Hyphen 2.0 contest - cryptphi's results

Next-Gen Multichain Relayer Protocol.

General Information

Platform: Code4rena

Start Date: 10/03/2022

Pot Size: $75,000 USDT

Total HM: 25

Participants: 54

Period: 7 days

Judge: pauliax

Total Solo HM: 10

Id: 97

League: ETH

Biconomy

Findings Distribution

Researcher Performance

Rank: 48/54

Findings: 1

Award: $118.98

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository Biconomy

Findings Information

🌟 Selected for report: hickuphh3

Also found by: 0v3rf10w, 0x1f8b, 0xDjango, 0xNazgul, 0xngndev, 0xwags, Cantor_Dust, CertoraInc, Dravee, IllIllI, PPrieditis, Ruhum, TerrierLover, WatchPug, XDms, benk10, berndartmueller, bitbopper, catchup, cmichel, cryptphi, csanuragjain, danb, defsec, gzeon, hagrid, hubble, jayjonah8, kenta, kyliek, minhquanym, rfa, robee, saian, samruna, throttle, ye0lde, z3s

Awards

118.9792 USDT - $118.98

Labels

bug

QA (Quality Assurance)

External Links

Link to GitHub issue

Title

Missing zero address check

Vulnerability details

Impact

LiquidityPool.withdrawErc20GasFee function has a missing zero address check. There is no zero address check to ensure the ERC Gas Fee is not sent to 0 address.

Proof of Concept

https://github.com/code-423n4/2022-03-biconomy/blob/main/contracts/hyphen/LiquidityPool.sol#L372-L381

Tools Used

Manual review on VSCode

Recommended Mitigation Steps

Add require check for the address passed in withdrawErc20GasFee()

Biconomy Hyphen 2.0 contest - cryptphi's results

Next-Gen Multichain Relayer Protocol.

General Information

Findings Distribution

Researcher Performance

External Links

[Q-20] QA Report - $118.98

Findings Information

Awards

Labels

External Links

Title

Vulnerability details

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps